An XSS flaw is a nuisance in any application but in Signal, used by parties that want the highest levels of privacy, this is amplified.

An attacker posing as a contact could use the flaw to send a message containing a malicious URL to set up a range of code-injection compromises using image, audio or iFrame tags, or simply to make the software crash.

Researcher Iván Ariel Barrera Oro, the flaw’s co-discoverer, described how he had chanced upon the issue completely by accident:

The critical thing here was that it didn’t required any interaction from the victim, other than simply being in the conversation.

Which meant:

Inside iframes, everything was possible, even loading code from an SMB share! This enables an attacker to execute remote code without caring about CSP [Content Security Policy].

That’s not a compromise of the software’s end-to-end encryption, but it would be helpful to an attacker trying to trick a would-be victim into giving up information about themselves.

Designated CVE-2018-10994, the flaw affects all desktop versions (Windows, Mac, Linux) but not the mobile Android or iOS apps. The vulnerable versions are v1.7.1, v1.8.0, v1.9.0, and v1.10.0, fixed by upgrading to v1.10.1 or v1.11.0-beta.3.

Update 2018-05-18

On 16 May the same researchers revealed another, related, XSS bug:

Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability.

CVE-2018-11101 can be resolved, like the earlier flaw, by upgrading to signal-desktop messenger v1.11.